cbcvebase.
CVE-2016-3087
published 2016-06-07

CVE-2016-3087: Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.09%
99.6th percentile
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Affected

7 ranges
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
opensslopenssl>= 0 < 1.0.1f-1ubuntu2.211.0.1f-1ubuntu2.21
opensslopenssl>= 0 < 1.0.2g-1ubuntu4.51.0.2g-1ubuntu4.5

Detection & IOCsextracted from sources · hover to see the quote

  • Look for HTTP POST requests containing OGNL expressions with '!' (exclamation mark) operator in the URI path targeting REST plugin endpoints, particularly patterns like `#[email protected]@DEFAULT_MEMBER_ACCESS` URL-encoded in the request path.
  • Detect OGNL payloads referencing `@org.apache.struts2.ServletActionContext@getResponse().getWriter()` or `@java.lang.Runtime@getRuntime().exec(` in HTTP request URIs, which are characteristic of S2-033 exploitation.
  • Monitor for HTTP POST requests to REST plugin paths where the URI contains URL-encoded OGNL expressions including `#xx.toString.json` and `#xx:#request.toString` as the exploit appends these as the payload suffix.
  • Detect use of `sun.misc.BASE64Decoder` and `@org.apache.commons.io.IOUtils@toString` within OGNL expressions in HTTP requests, indicating command execution with base64-encoded command parameters.
  • Alert on HTTP 200 responses to REST plugin endpoints where the response body contains arithmetic sum results flanked by random alpha strings — this is the vulnerability check/canary pattern used by exploit tools.
  • ·The vulnerability is only exploitable when Dynamic Method Invocation (DMI) is explicitly enabled in the Struts configuration. Installations with DMI disabled are not affected.
  • ·Affected versions are 2.3.20–2.3.28, but versions 2.3.20.2 and 2.3.24.2 are explicitly patched and not vulnerable.
  • ·The exploit requires the REST Plugin to be present and active in the Struts application; applications not using the REST Plugin are not exploitable via this vector.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.